ADW_KITO.GA

This adware may be unknowingly downloaded by a user while visiting malicious websites. It may be manually installed by a user.

It gathers certain information on the affected computer.

It connects to certain websites to send and receive information.

Arrival Details

This adware may be unknowingly downloaded by a user while visiting malicious websites.

It may be manually installed by a user.

Installation

This adware drops the following files:

• %Application Data%\okitspace\protect\Interop.Shell32.dll
• %Application Data%\okitspace\protect\NewtonSoft.Json.dll
• %Application Data%\okitspace\protect\utilsDll.dll
• %Application Data%\okitspace\protect\config.xml
• %Application Data%\okitspace\protect\sqlite3.exe
• %Application Data%\okitspace\protect\PluginProtect.exe - detected as ADW_KITO.GA
• %Application Data%\okitspace\uninstallkit.exe
• %User Temp%\ns{random characters}.tmp\SimpleSC.dll - deleted afterwards

(Note: %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It creates the following folders:

• %Application Data%\okitspace
• %Application Data%\okitspace\protect
• %User Temp%\ns{random value}.tmp - deleted afterwards

(Note: %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

Autostart Technique

This adware registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\srvPlgProtect
ImagePath = "%Application Data%\okitspace\protect\PluginProtect.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\srvPlgProtect
DisplayName = "Protect your browser's extensions"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\srvPlgProtect
Start = "2"

It registers as a system service to ensure its automatic execution at every system startup by adding the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\srvPlgProtect

Other System Modifications

This adware adds the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
PluginProtect

It adds the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
PluginProtect
InstallDay = "{System Date and Time}"

Information Theft

This adware gathers the following information on the affected computer:

• System date and time
• Operating system and version
• UserID
• Default browser
• Installed browsers
• Browser Activities

Other Details

This adware connects to the following website to send and receive information:

• http://{BLOCKED}a.{BLOCKED}tk.com/xmlstatic/installers/plugins/okitspace/version
• http://{BLOCKED}a.{BLOCKED}tk.com/xmlstatic/installers/plugins/okitspace/lastplugin
• https://{BLOCKED}s.{BLOCKED}ace.com/software_stats/
• http://{BLOCKED}s.{BLOCKED}ace.com/software_stats/?action_id={id}&action_description={data}&software_id={id}&software_version={version}&user_id={user id}&user_agent={browser application}&user_date={date and time}&channel_id={id}&channel_subid={id}&channel_param={parameter}&_={data}
• http://{BLOCKED}s.{BLOCKED}ace.com/ox.php?{random letter}={data}
• http://{BLOCKED}s.{BLOCKED}ace.com/uploads/cover.js?id={id}&affid={id}&user_agent={browser}&user_id={user ID}&channel_id={ID}&channel_subid={ID}&channel_param={parameter}&software_id={ID}&software_version={version}
• http://{BLOCKED}r.{BLOCKED}ace.com/fast/get_topic_keyword/?keywords={keyword}&base_domain={website domain}&software_id={ID}&script_version={version}&_={data}
• http://{BLOCKED}n.{BLOCKED}ace.com/www/delivery/ajs.php?zoneid={id}&{random letter}={value}&{random letter}={value}&topic={data}&domain={website domain}&path={data}&ext=okitspace&_={data}
• http://{BLOCKED}.{BLOCKED}ashjs.info/base/javascript.js?hid=oksp2&channel={number}
• https://www.{BLOCKED}3.com/js/intext.js?afid=okitagency&subid={id}&maxlinks={number}&linkcolor={number}&affiliate=okitagency

NOTES:

It disguises itself as a browser plugin. Once installed, it is able to produce browser pop-ups and ads into websites.

It monitors all the plugins it installed. If any of the plugins gets disabled, it immediately re-enables the plugin. If any of the plugins is removed, it downloads and installs another copy of the plugin.